Hospital Hacking


      Hacking, the unauthorized access to data, is so common these days that it was actually news this week when there were reports of a dip in Chinese hacking incidents.

      Much of the evolving cyber-wars exist in critical areas of high finance, military, and intelligence circles. But there is a potential critical concern.

      Most life-saving hospital equipment contains almost no cyber-security. Not only can it be hacked, it's easier to break into than your smartphone or Nintendo, and the results can be lethal.

      Full Measure correspondent Lisa Fletcher has more.

      When you're sick or injured, you depend on life-saving medical equipment.

      MRIs, CT scans, and drug infusion pumps that deliver everything from pain medicine to chemotherapy are all designed to save you.

      But the way that equipment is built could put you in more danger than you ever imagined.

      Lisa Fletcher: The cybersecurity on my smart phone versus the cybersecurity built into these medical devices - which has more security?

      Billy Rios: Your smartphone, definitely. Light years ahead.

      Billy Rios is a cybersecurity expert who's identified serious threats for the Department of Defense, Google, Microsoft, and others.

      In their spare time and with their own money, he and his business partner, Jonathan Butts, buy and deconstruct vital hospital equipment to find access points hackers can exploit. They report their findings to the Department of Homeland Security.

      Fletcher: How bad is it?

      Rios: It's really bad. I don't think I've ever walked away from a medical device that didn't have some pretty serious issues. There's a medical device that we looked at, it literally had over 4,000 vulnerabilities in one device.

      Fletcher: 4,000 in one device?

      Rios: 4,000.

      Here's the deal: there are no federal requirements for cybersecurity standards on hospital equipment, which means once these machines are on a hospital's network - and there are thousands in every hospital - Rios says most are easily hacked. Settings and critical information can be changed, and he's documented it for the DHS and the FDA.

      Rios: We demonstrated that someone could take over an infusion pump and essentially change the dosage of medicine that's being given to somebody. Make them overdose on a medicine, essentially. There's not a chance for the doctor or patient to intervene. We've shown that we could crash the patient monitor or modify the data from a patient monitor so the fata that's going to the physician isn't the right data. We've shown that devices, like supply cabinets, where drugs and medicines are being served from, we showed that we can take those over. We can open up all the drawers or lock all the drawers.

      And his latest undertaking? This x-ray machine.

      It took Rios and Butts less than 24 hours to hack it and reconfigure the system. Because they're "good guys," they installed a video game.

      Jonathan Butts: This is a system that controls radiation that goes to some patient . It's got Donkey Kong on it!

      If they were 'bad guys,' "Donkey Kong" would be malware that could do everything from incapacitate the machine to deliver lethal doses of radiation without anyone being the wiser.

      And for much of the equipment they've researched, like commonly used drug infusion pumps, the hacker can be on the other side of the world.

      Rios: Someone doesn't have to be near it, doesn't have to be close to it. 1,000 miles away and they can run some software and basically take over your device.

      This is a frightening example of what Rios handed to Homeland Security: with just a few key strokes, he remotely enters a generic passcode, unlocks a drug infusion pump, and pushes the entire vial of medicine into a would-be patient at one.

      The FDA reacted in May of 2015 by issuing the first-ever cybersecurity advisory.

      Rios: They actually recommended that hospitals stop using a particular infusion pump.

      But to this day, Rios says the problems have not been fixed.

      Likewise for other vulnerabilities they've discovered, like hundreds of unsecured device passwords that allow access to everything from anesthesia machines to ventilators.

      Rios: The manufacturers are the only people who can change the software on the devices.

      And that, Rios says, is the fix. But remember, there are no requirements for them to do so.

      Rios: The hospitals are in a really bad situation. They have devices they know are not secure and they're essentially trying to put Band-Aids on these issues. We're talking about tens of millions of dollars the healthcare industry as a whole is spending on something that can be patched by the manufacturer for less than $5,000.

      The FDA declined our request for an interview, but did provide a written response to some questions, stating, "The FDA plays an important role in assuring safety of medical devices and our regulatory abilities allow for us to take appropriate actions to protect public health."

      Both Butts and Rios told me the FDA is not doing enough to protect the public, and that there's no reason the agency shouldn't be evaluating this equipment for cybersecurity concerns when they certify it for public use.